HackDig : Dig high-quality web security articles for hacker

Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.

The advisory on the project site gives not much detail about the problem:

Jenkins remoting is used for communications between master and agent (fka “slave”) or master and CLI. (You can setup slave servers for distributed builds.) This port is activated in the default configuration and it requires no authentication for connecting and arbitrary class deserialization.